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What is claimed is: 

1. A method comprising providing a capability to 
perform operations on a computer system, the operations 
comprising : 

identifying one or more policies associated with a 
network component; 

generating a list of one or more groups to which the 
network component belongs; and 

identifying one or more policies associated with each 
of the groups in the generated list. 

2 . The method of claim 1 in which the network component 
comprises one or more of the following: a network device, a 
device group, a device subgroup, a user, a group of users, 
an application, a group of applications, an end-host, a 
group of end-hosts, and one or more time conditions. 

3 . The method of claim 2 in which at least one of the 
identified policies associated with the network component is 
currently deployed. 

4. The method of claim 2 in which at least one of the 
identified policies associated with the network component is 
currently undeployed. 
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5. The method of claim 1 in which identifying one or 
more policies associated with the network component 
comprises : 

searching an entry associated with the network 
component in an aggregated data set to identify one or more 
pointers to a deployment policy tree; and 

based on the identified one or more pointers, searching 
the deployment policy tree to identify one or more policies 
directly associated with the network component. 

6. The method of claim 1 in which generating the list 
of one or more groups to which the network component belongs 
comprises : 

searching an entry associated with the network 
component in an aggregated data set to identify a pointer to 
a network configuration tree; and 

based on the identified pointer, searching the 
configuration tree to identify a parent node corresponding 
to a group to which the network component belongs. 

7. The method of claim 6 further comprising recursively 
searching the aggregated data set and the configuration tree 
until a non-group node is encountered in the configuration 
tree . 

8. The method of claim 7 in which the recursive 
searching generates a group chain list. 
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9. The method of claim 1 in which identifying one or 
more policies associated with each of the groups in the 
generated list comprises, for each group in the list: 

searching an entry associated with the group in an 
aggregated data set to identify one or more pointers to a 
deployment policy tree; and 

based on the identified one or more pointers, searching 
the deployment policy tree to identify one or more policies 
directly associated with the group. 

10. The method of claim 1 in which one or more of the 
operations is performed at least in part using an aggregated 
data set. 

11. The method of claim 10 in which the aggregated data 
set comprises a hash table. 

12. The method of claim 10 in which the aggregated data 
set comprises a red-black tree. 

13. The method of claim 10 in which the aggregated data 
set comprises a plurality of entries, each entry 
corresponding to a network component and including a network 
component identifier, one or more pointers to a deployment 
policy tree, and a pointer to a network configuration tree. 

14 . The method of claim 1 in which providing a 
capability to perform operations on a computer system 
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comprises providing at a network management policy decision 
point a policy based network management software application 
capable of performing the operations. 

15. An article comprising: 

a storage medium having a plurality of machine readable 
instructions, wherein execution of the instructions causes a 
machine to perform operations comprising: 

identify one or more policies associated with a 
network component; 

generate a list of one or more groups to which the 
network component belongs; and 

identify one or more policies associated with each 
of the groups in the generated list. 

16. The article of claim 15 in which the network 
component comprises one or more of the following: a network 
device, a device group, a device subgroup, a user, a group 
of users, an application, a group of applications, an end- 
host, a group of end-hosts, and one or more time conditions. 

17. The article of claim 15 in which the instructions 
to identify one or more policies associated with the network 
component comprise instructions to: 

search an entry associated with the network component 
in an aggregated data set to identify one or more pointers 
to a deployment policy tree; and 
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based on the identified one or more pointers, search 
the deployment policy tree to identify one or more policies 
directly associated with the network component. 

18. The article of claim 15 in which the instructions 
to generate the list of one or more groups to which the 
network component belongs comprise instructions to: 

search an entry associated with the network component 
in an aggregated data set to identify a pointer to a network 
configuration tree; and 

based on the identified pointer, search the 
configuration tree to identify a parent node corresponding 
to a group to which the network component belongs. 

19. The article of claim 18 further comprising 
instructions to recursively search the aggregated data set 
and the configuration tree until a non-group node is 
encountered in the configuration tree. 

20. The article of claim 19 in which the recursive 
searching generates a group chain list. 

21. The article of claim 15 in which the instructions 
to identify one or more policies associated with each of the 
groups in the generated list comprises instructions to 
perform the following for each group in the list: 
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search an entry associated with the group in an 
aggregated data set to identify one or more pointers to a 
deployment policy tree; and 

based on the identified one or more pointers, search 
the deployment policy tree to identify one or more policies 
directly associated with the group. 

22. The article of claim 15 in which one or more of the 
operations is performed at least in part using an aggregated 
data set . 

23. The article of claim 22 in which the aggregated 
data set comprises a hash table or a red-black tree. 

24 . The article of claim 22 in which the aggregated 
data set comprises a plurality- of entries, each entry 
corresponding to a network component and including a network 
component identifier, one or more pointers to a deployment 
policy tree, and a pointer to a network configuration tree. 

25. A policy based network management (PBNM) system 
comprising: 

a network configuration tree configured to store a tree 
representation of a network configuration, the tree 
representation being formed of a plurality of nodes, each 
node corresponding to a network component; 
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a deployed policy tree configured to store a tree 
representation of policies associated with network 
components ; 

an aggregated data set configured to store a plurality 
of data elements including one or more identity elements, 
one or more pointers to the deployed policy tree, and one or 
more pointers to the network configuration tree, each 
identity element identifying a network component and having 
an associated network configuration tree pointer and one or 
more associated deployed policy tree pointers; and 

one or more software components configured to identify 
one or more policies associated with a network component ; 
generate a list of one or more groups to which the network 
component belongs; and identify one or more policies 
associated with each of the groups in the generated list. 

26. The system of claim 25 in which the network 
component comprises one or more of the following: a network 
device, a device group, a device subgroup, a user, a group 
of users, an application, a group of applications, an end- 
host, a group of end-hosts, and one or more time conditions. 

27. The system of claim 25 in which the one or more 
software components configured to identify one or more 
policies associated with the network component are 
configured to perform the following: 

search an entry associated with the network component 
in the aggregated data set to identify the network 
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component's one or more associated deployed policy tree 
pointers; and 

based on the identified one or more deployed policy 
tree pointers, search the deployment policy tree to identify 
one or more policies directly associated with the network 
component . 

28. The system of claim 25 in which the one or more 
software components configured to generate the list of one 
or more groups to which the network component belongs are 
configured to perform the following: 

search an entry associated with the network component 
in the aggregated data set to identify the network 
component's associated network configuration tree pointer; 
and 

based on the identified network configuration tree 
pointer, search the network configuration tree to identify a 
parent node corresponding to a group to which the network 
component belongs . 

29. The system of claim 28 in which the one or more 
software components recursively search the aggregated data 
set and the network configuration tree until a non-group 
node is encountered in the configuration tree. 

30. The system of claim 25 in which the one or more 
software components configured to identify one or more 
policies associated with each of the groups in the generated 
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list are configured to perform the following for each group 
in the list: 

search an entry associated with the group in the 
aggregated data set to identify the group's one or more 
associated deployed policy tree pointers; and 

based on the identified one or more deployed policy 
tree pointers, search the deployed policy tree to identify 
one or more policies directly associated with the group. 

31. The system of claim 25 in which the aggregated data 
set comprises a hash table. 

32. The system of claim 25 in which the aggregated data 
set comprises a balanced tree. 

33. A method comprising providing a capability to 
perform operations on a computer system, the operations 
comprising: 

receiving a request to identify one or more policies 
associated with a specified subject; 

identifying one or more policies directly associated 
with the specified subject ; 

generating a list of one or more groups to which the 
specified subject belongs; and 

identifying one or more policies associated with each 
of the groups in the generated list. 
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34. The method of claim 33 in which the specified 
subject comprises one or more of the following: a network 
device, a device group, a device subgroup, a user, a group 
of users, an application, a group of applications, an end- 
host, a group of end-hosts, and one or more time conditions. 

35. The method of claim 33 in which identifying one or 
more policies directly associated with the specified subject 
comprises : 

searching an entry associated with the specified 
subject in an aggregated data set to identify one or more 
pointers to a deployment policy tree; and 

based on the identified one or more pointers, searching 
the deployment policy tree to identify one or more policies 
directly associated with the specified subject. 

36. The method of claim 33 in which generating the 
list of one or more groups to which the specified subject 
belongs comprises: 

searching an entry associated with the specified 
subject in an aggregated data set to identify a pointer to a 
network configuration tree; and 

based on the identified pointer, searching the 
configuration tree to identify a parent node corresponding 
to a group to which the specified subject belongs. 
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37. The method of claim 36 further comprising 
recursively searching the aggregated data set and the 
configuration tree until a non-group node is encountered in 
the configuration tree. 

38. The method of claim 33 in which identifying one or 
more policies associated with each of the groups in the 
generated list comprises, for each group in the list: 

searching an entry associated with the group in an 
aggregated data set to identify one or more pointers to a 
deployment policy tree; and 

based on the identified one or more pointers, searching 
the deployment policy tree to identify one or more policies 
directly associated with the group. 

39. The method of claim 33 in which providing a 
capability to perform operations on a computer system 
comprises providing at a network management policy decision 
point a policy based network management software application 
capable of performing the operations. 



